Understanding Transport Routing in Exchange 2010 Hybrid Deployments

This topic discusses your routing options for inbound messages from the Internet and outbound messages to the Internet.

Note:

The examples in this topic don’t include the addition of Edge Transport servers into the hybrid deployment. The routes messages take between the on-premises organization, the Exchange Online organization, and the Internet don’t change with the addition of an Edge Transport server. The routing only changes within the on-premises organization. For more information about adding Edge Transport servers to a hybrid deployment, see Understanding Edge Transport Servers in Exchange 2010 Hybrid Deployments.

As part of planning and configuring your hybrid deployment, you need to decide whether you want all messages from Internet senders to be routed through your on-premises organization or through the Exchange Online organization. All messages from Internet senders will initially be delivered to the organization you select and then routed according to where the recipient’s mailbox is located. Whether you choose to have messages routed through your on-premises organization or the Exchange Online organization depends on various factors, including whether you want to apply compliance policies to all messages sent to both organizations, how many mailboxes are in each organization, and so on.

The path messages sent to recipients in your on-premises and Exchange Online organizations take depends on how you decide to configure your MX record in your hybrid deployment. The Manage Hybrid Configuration wizard doesn’t configure the routing for inbound Internet messages for either the on-premises or Exchange Online organizations. You must manually configure your MX record if you want to change how your inbound Internet mail is delivered.

If you keep your MX record pointed to your on-premises organization: All messages sent to any recipient in either organization will be routed through your on-premises organization first. A message addressed to a recipient that's located in Exchange Online will be routed first through your on-premises organization and then delivered to the recipient in Exchange Online. This route can be helpful for organizations where you have compliance policies that require messages sent to and from an organization be examined by a journaling solution. This route is also recommended if you have more recipients in your on-premises organization than in your Exchange Online organization.

If you decide to change your MX record to point to the Microsoft Exchange Online Protection (EOP) service in Office 365: All messages sent to any recipient in either organization will be routed through the Exchange Online organization first. A message addressed to a recipient that's located in your on-premises organization will be routed first through your Exchange Online organization and then delivered to the recipient in your on-premises organization. This route is recommended if you have more recipients in your Exchange Online organization than in your on-premises organization.

Read the section below that matches how you plan to route messages sent from Internet recipients to your on-premises and Exchange Online recipients.

The following steps and diagram illustrate the inbound Internet message path that will occur in your hybrid deployment if you decide to keep your MX record pointed to your on-premises organization.

An inbound message is sent from an Internet sender to the recipients chris@contoso.com and david@contoso.com. Chris's mailbox is located on an Exchange 2010 Mailbox server in the on-premises organization. David's mailbox is located in Exchange Online.

Because the recipients both have contoso.com email addresses, and the MX record for contoso.com points to the on-premises organization, the message is delivered to an Exchange 2010 Mailbox server.

The Exchange 2010 Mailbox server performs a lookup for each recipient using an on-premises global catalog server. Through the global catalog lookup, it determines that Chris's mailbox is located on the Exchange 2010 Mailbox server while David's mailbox is located in the Exchange Online organization and has a hybrid routing address of david@contoso.mail.onmicrosoft.com.

The Exchange 2010 Mailbox server splits the message into two copies. One copy of the message is delivered to Chris’s mailbox.

The second copy of the message is sent through the routing group connector that's configured between the hybrid servers and the Exchange 2010 server.

A hybrid Hub Transport server sends the message to EOP, which receives messages sent to the Exchange Online organization, using a Send connector configured to use TLS.

EOP sends the message to the Exchange Online organization where the message is scanned for viruses and delivered to David's mailbox.

Route mail through the on-premises organization for both on-premises and Exchange Online organizations

The following steps and diagrams illustrate the inbound message path that occurs in your hybrid deployment if you decide to point your MX record to the EOP service in the Office 365 organization. The message path differs depending on whether you choose to enable centralized mail transport.

Important:

You may need to purchase EOP licenses for each on-premises mailbox that receives messages that are first delivered to EOP and then routed through the Exchange Online organization. Contact your Microsoft reseller for more information.

When centralized mail transport is disabled (default configuration), incoming Internet messages are routed as follows in a hybrid deployment:

An inbound message is sent from an Internet sender to the recipients chris@contoso.com and david@contoso.com. Chris's mailbox is located on an Exchange 2010 Mailbox server in the on-premises organization. David's mailbox is located in Exchange Online.

Because the recipients both have contoso.com email addresses, and the MX record for contoso.com points to EOP, the message is delivered to EOP.

EOP routes the messages for both recipients to Exchange Online.

Exchange Online scans the messages for viruses and performs a lookup for each recipient. Through the lookup, it determines that Chris's mailbox is located in the on-premises organization while David's mailbox is located in the Exchange Online organization.

Exchange Online splits the message into two copies. One copy of the message is delivered to David's mailbox.

The second copy is sent from Exchange Online back to EOP.

EOP sends the message to the hybrid Exchange 2010 Hub Transport servers in the on-premises organization.

A hybrid Hub Transport server sends the message through the routing group connector that’s configured between the hybrid servers and the Exchange 2010 Mailbox server delivers the message to Chris's mailbox.

When centralized mail transport is enabled, incoming Internet messages are routed as follows in a hybrid deployment:

An inbound message is sent from an Internet sender to the recipients chris@contoso.com and david@contoso.com. Chris's mailbox is located on an Exchange 2010 Mailbox server in the on-premises organization. David's mailbox is located in Exchange Online.

Because the recipients both have contoso.com email addresses, and the MX record for contoso.com points to EOP, the message is delivered to EOP and scanned for viruses.

Since centralized mail transport is enabled, EOP routes the messages for both recipients to the on-premises hybrid Exchange 2010 Hub Transport server.

The hybrid Hub Transport server performs a lookup for each recipient. Through the lookup, it determines that Chris's mailbox is located in the on-premises organization while David's mailbox is located in the Exchange Online organization.

The hybrid Hub Transport server splits the message into two copies. One copy of the message is delivered to Chris’s mailbox in the on-premises Exchange 2010 server.

The second copy is sent from the hybrid Hub Transport server back to EOP.

EOP sends the message to Exchange Online.

Exchange delivers the message to David's mailbox.

Route mail through the Exchange Online organization for both on-premises and Exchange Online organizations with centralized mail transport enabled

In addition to choosing how inbound messages addressed to recipients to your organizations are routed, you can also choose how outbound messages sent from Exchange Online recipients are routed. When you run the Hybrid Configuration wizard, you can select one of two options:

Enable centralized mail transport Selecting this option routes outbound messages sent from the Exchange Online organization through your on-premises organization. Except for messages sent to other recipients in the same Exchange Online organization, all messages sent from recipients in the Exchange Online organization are sent through the on-premises organization. This enables you to apply compliance rules to these messages and any other processes or requirements that must be applied to all of your recipients, regardless of whether they're located in the Exchange Online organization or the on-premises organization.

Note:

Centralized mail transport is only recommended for organizations with specific compliance-related transport needs. Our recommendation for typical Exchange organizations is not to enable centralized mail transport.

Don’t enable centralized mail transport Selected by default in the Manage Hybrid Configuration wizard, this option routes outbound messages sent from the Exchange Online organization directly to the Internet. Use this option if you don't need to apply any on-premises compliance policies or other processing rules to messages that are sent from recipients in the Exchange Online organization.

Messages sent from on-premises recipients are always sent to directly to Internet recipients using DNS regardless of which of the above choices you select in the Manage Hybrid Configuration wizard.

The following steps and diagram illustrate the outbound message path for messages sent from on-premises recipients.

Chris, who has a mailbox on the on-premises Exchange 2007 Mailbox server, sends a message to an external Internet recipient, erin@cpandl.com.

The Exchange 2010 server looks up the MX record for cpandl.com and sends the message to the cpandl.com mail servers located on the Internet.

Messages from on-premises senders to Internet recipients

Read the section below that matches how you plan to route messages sent from recipients in the Exchange Online organization to Internet recipients.

The following steps and diagram illustrate the outbound message path for messages sent from Exchange Online recipients to an Internet recipient that occur when Enable centralized mail transport is not selected in the Manage Hybrid Configuration wizard, which is the default configuration.

David, who has a mailbox in the Exchange Online organization, sends a message to an external Internet recipient, erin@cpandl.com.

Exchange Online scans the message for viruses and sends the message to the Exchange Online EOP company.

EOP looks up the MX record for cpandl.com and sends the message to the cpandl.com mail servers located on the Internet.

The following steps and diagram illustrate the outbound message path for messages sent from Exchange Online recipients to an Internet recipient that occur when you select Enable centralized mail transport in the Manage Hybrid Configuration wizard.

David, who has a mailbox in the Exchange Online organization, sends a message to an external Internet recipient, erin@cpandl.com.

Exchange Online scans the message for viruses and sends the message to EOP.

EOP is configured to send all Internet-bound messages to an on-premises server, so the message is routed to a hybrid Hub Transport server. The message is sent using TLS.

An hybrid Hub Transport server performs compliance and any other processes configured by the administrator on David's message.

The hybrid Hub Transport server looks up the MX record for cpandl.com and sends the message to the cpandl.com mail servers located on the Internet.